Is Copilot FERPA Compliant? Complete Guide for 2026

In early 2023, a school district in Wisconsin discovered that several teachers had been using ChatGPT to generate report card comments. The AI was efficient. It was also pulling from a database that now contained student names, grades, behavioral observations, and learning disability notes. That data had been transmitted to OpenAI's servers, stored indefinitely, and potentially used to train future AI models.

The district scrambled to assess whether they'd triggered a FERPA violation. The answer wasn't clear cut. FERPA doesn't have a regulatory body that issues fines like GDPR. What it has is worse for schools: the potential loss of federal funding. Every dollar flowing from the Department of Education to that district was theoretically at risk.

This scenario is playing out across education. According to recent surveys, generative AI usage in classrooms has grown dramatically, with teachers using these tools for lesson planning, feedback generation, and administrative work. But most teachers are using consumer AI tools that weren't designed for student data. And most schools have no policy governing AI use with education records.

Now Microsoft has entered the conversation with Copilot in education. The question every administrator and IT director needs answered: Is Copilot FERPA compliant?

The short version: If you need to redact sensitive documents before they reach AI systems, PaperVeil handles that layer. The rest of this article explains where it fits in the broader governance architecture.

The Direct Answer

Microsoft Copilot can support FERPA compliance, but only specific versions with proper configuration.

Microsoft 365 Copilot (Education): Can be FERPA compliant. Microsoft agrees to act as a "school official" with "legitimate educational interests" under FERPA's definitions. The Data Protection Addendum provides contractual commitments that student data won't be used for advertising or commercial profiling.

Copilot with Enterprise Data Protection: When users sign in with their school's Microsoft Entra ID account, they get commercial data protection. Prompts and responses aren't used to train AI models. The green shield icon indicates these protections are active.

Consumer Copilot (free tiers): Not FERPA compliant. No school official designation, no contractual protections, data may be used for model training. If your teachers are using the free Copilot with student information, you have a compliance problem.

The critical distinction: FERPA doesn't have a certification process. Microsoft can't show you a "FERPA Compliant" certificate. What they can do is provide contractual commitments that align with FERPA requirements. Your institution must still assess whether your specific use of Microsoft's services meets your FERPA obligations.

What FERPA Actually Requires

The Family Educational Rights and Privacy Act protects students' education records at any institution receiving federal education funding. That covers virtually all public K-12 schools and most post-secondary institutions.

Education Records

FERPA protects "education records," defined as records directly related to a student and maintained by an educational institution. This includes:

  • Grades and transcripts
  • Enrollment information
  • Financial aid records
  • Disciplinary records
  • Special education documentation
  • Any notes or observations that identify a student

When a teacher pastes a student's name alongside their grade into an AI tool, that's an education record being transmitted to a third party.

The School Official Exception

FERPA generally prohibits disclosing education records without consent. But there's an exception: schools can share records with "school officials" who have "legitimate educational interests." This is how schools can share student data with contractors, consultants, and technology providers without getting parental consent for every interaction.

Microsoft's Data Protection Addendum establishes Microsoft as a school official under this exception. When you use Microsoft 365 Education services, Microsoft contractually agrees to:

  • Abide by the same limitations as school officials
  • Use student data only to provide educational services
  • Not mine student data for advertising
  • Not disclose data except as the institution directs

This is the legal foundation that allows schools to use Microsoft 365 with student records.

What FERPA Doesn't Do

FERPA doesn't work like GDPR. There are no standardized audits or certifications. The Department of Education doesn't issue FERPA compliance certificates. Instead, schools must conduct their own assessments of whether their technology usage complies with the law.

The penalty structure is also different. FERPA violations don't result in per-incident fines like European regulations. The penalty is potential loss of federal funding. In practice, this means the Department of Education investigates complaints, issues findings, and gives schools time to remediate. Complete loss of funding is rare but possible.

Where Copilot Falls Short

Even with Microsoft's contractual commitments, several gaps require attention.

Consumer Copilot Has No FERPA Protections

Free Copilot, Copilot Pro (personal), and other consumer tiers don't include the school official designation or education-specific commitments. If your faculty and staff are using consumer Copilot because it's easily accessible, they're transmitting student data to a service with no FERPA framework.

This is the biggest risk in education AI. The school has Microsoft 365 Education licenses with proper protections. But teachers open a browser, go to copilot.microsoft.com, and use the free version because they don't know the difference. The interface looks similar. The compliance posture is completely different.

Web Search Creates Exposure

Weill Cornell Medicine announced in July 2025 that they were disabling web search in Microsoft 365 Copilot specifically to maintain FERPA compliance. The concern: when Copilot performs web searches, data leaves the protected Microsoft 365 environment.

If a teacher asks Copilot to help draft a communication about a student's situation and Copilot searches the web as part of generating a response, that query potentially contains identifying information that's now been transmitted outside your institutional boundary.

For FERPA compliance, consider disabling web search functionality in your Copilot deployment.

Third-Party Integrations Add Risk

Microsoft Teams allows integrations with Google Drive, Dropbox, and other cloud storage services. Some institutions, like the University of Illinois, have specifically blocked these integrations because they aren't FERPA-approved.

Each integration you enable in your Microsoft 365 environment potentially creates another path for student data to leave your controlled environment. Audit your integrations and disable any that lack appropriate FERPA commitments.

No Audit or Certification Exists

Schools often want vendors to show proof of FERPA compliance. Microsoft can't provide that because FERPA doesn't work that way. What Microsoft provides is:

  • Contractual language designating them as a school official
  • Commitments about how student data will (and won't) be used
  • Technical controls like encryption and access management
  • Compliance certifications for adjacent frameworks (SOC 2, ISO 27001)

But the compliance assessment is your responsibility. You can't outsource FERPA accountability to a vendor checklist.

Making Copilot FERPA Compliant

Here's how to configure Microsoft Copilot for FERPA-compliant use in education.

Step 1: Use Only Education or Enterprise Tiers

Acceptable for student data:

  • Microsoft 365 Copilot with Microsoft 365 A3 or A5 licenses
  • Copilot with Enterprise Data Protection (Entra ID sign-in)

Not acceptable for student data:

  • Free Copilot
  • Copilot Pro (personal subscription)
  • Any Copilot access without school account authentication

Block access to consumer Copilot at the network level if possible. Make the compliant path the easy path.

Step 2: Verify Your Data Protection Addendum

Microsoft's DPA contains the school official designation and FERPA-specific commitments. Confirm that:

  • Your institution has accepted Microsoft's DPA
  • The DPA version includes FERPA provisions
  • Your Microsoft 365 Education contract is current

Contact your Microsoft education account representative if you're uncertain about your contractual coverage.

Step 3: Configure Copilot Appropriately

For maximum FERPA alignment:

  • Disable web search to keep data within your Microsoft 365 boundary
  • Audit third-party integrations and disable those without FERPA protections
  • Review permission settings so Copilot only accesses data appropriate for each user's role
  • Enable audit logging to document what data Copilot processes

Step 4: Train Your Staff

Teachers and administrators need to understand:

  • Which Copilot product to use (and how to verify they're using the right one)
  • What data can and cannot be entered (even with compliant Copilot, minimize unnecessary exposure)
  • How to identify the green shield indicating Enterprise Data Protection
  • What to do if they accidentally use consumer Copilot with student data

Step 5: Document Your Assessment

Since FERPA doesn't have external certification, your documentation is your compliance evidence. Maintain records of:

  • Your assessment of Microsoft's FERPA commitments
  • Your Copilot configuration decisions and rationale
  • Staff training completion
  • Any incidents and how they were handled

If the Department of Education investigates a complaint, you need to demonstrate that you conducted a good-faith assessment and implemented reasonable protections.

Step 6: Implement Redaction for Sensitive Data

Even with compliant Copilot, consider whether some data shouldn't reach AI systems at all. Students with disabilities, disciplinary matters, mental health concerns: these records carry extra sensitivity.

A redaction layer that strips identifying information before AI processing adds a layer of protection. The AI helps with your task. The sensitive identifiers never leave your local environment.

Before redaction:

"Draft a letter to John Smith's parents about his recent behavioral incident on January 15th. John, a student in Mrs. Garcia's 4th grade class with an IEP for ADHD, was involved in..."

After redaction:

"Draft a letter to [STUDENT]'s parents about their recent behavioral incident on [DATE]. [STUDENT], a student in [TEACHER]'s [GRADE] class with [ACCOMMODATION TYPE], was involved in..."

Copilot generates the letter framework. You insert the specifics locally. The sensitive combination of student identity plus disability status plus disciplinary information never transmits to any external system.

Alternatives to Consider

If Microsoft's approach creates concerns for your institution:

Azure OpenAI Service provides more granular control. You manage the deployment, configure data residency, and maintain direct oversight of the infrastructure.

On-premises AI eliminates external transfer entirely. Open-source models like Llama can run on your own infrastructure. Higher cost and technical complexity, but maximum control.

Redaction-first workflow works with any AI tool. If you strip student identifiers before processing, the data that reaches the AI isn't an education record under FERPA's definitions.

The Bottom Line

Is Microsoft Copilot FERPA compliant? Microsoft 365 Copilot for Education, with proper configuration, can support FERPA-compliant workflows. Consumer Copilot is not appropriate for student education records under any circumstances.

The key actions for schools:

  1. Block consumer Copilot and ensure staff use only enterprise/education tiers
  2. Verify your DPA includes Microsoft's FERPA commitments
  3. Disable web search and audit third-party integrations
  4. Train all staff on which tools to use and how to verify protections
  5. Document your assessment of FERPA compliance
  6. Consider redaction for particularly sensitive student data

FERPA compliance isn't a checkbox. It's an ongoing institutional responsibility. Microsoft provides tools and contractual frameworks that can support compliance. But no vendor can make your institution compliant. That assessment and implementation work remains yours.

The Department of Education has signaled increased focus on AI and student privacy. Schools that haven't addressed AI governance are operating on borrowed time. Build the framework now, document your decisions, and make compliant AI use the default rather than the exception.

PaperVeil lets you redact sensitive information from documents before they reach any AI system. Detect and remove student identifiers automatically, handle transcripts and IEP documents, and generate audit trails that demonstrate compliance efforts. The redaction layer that makes AI document processing actually safe for education records.